How NSA Data Demands On Microsoft Shape Your Security

Microsoft is legally prevented from saying too much about charges it collaborated with the NSA. Product security gets caught in this complex situation.

Is Microsoft -- and by extension the likes of Google and Yahoo -- being prevented from adding security improvements to its consumer Web services because of U.S. government surveillance demands?

A review of the recent wrangling among Microsoft, the U.S. government and critics of Microsoft's cooperation with government surveillance efforts provides a glimpse into this complex state of affairs.

The Guardian last week accused Microsoft of giving the U.S. National Security Agency backdoor access to Outlook.com encryption and Skype communications to facilitate the NSA's anti-terrorism surveillance programs. To be fair to Microsoft, the NSA can already directly access data from multiple Web services, including Gmail, Hotmail and Yahoo, plus numerous chat and video services, according to documents leaked by NSA contractor Edward Snowden.

What are those inaccuracies? We don't know.
Microsoft says it's legally prohibited from detailing them. It also says it can't say more about the data demands approved by the Foreign Intelligence Surveillance (aka FISA) Court, with which it must comply. "Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information," wrote Microsoft general counsel Brad Smith last week. "We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the government is stopping us."

Or as parodied by Belarusian writer and researcher Evgeny Morozov: "To be clear, this statement that our company has written to clarify its relationship with NSA is not meant to make anything clear."

Then again, is it fair to ask Microsoft's PR and legal machines to operate with their hands tied behind their backs? "Microsoft is obligated to comply with the applicable laws that governments around the world -- not just the United States -- pass, and this includes responding to legal demands for customer data," Smith said. "All of us now live in a world in which companies and government agencies are using big data, and it would be a mistake to assume this somehow is confined to the United States."

Despite the gag order preventing Microsoft from fully responding to the criticism leveled against it, Smith claimed that on the Outlook.com front, "we do not provide any government with direct access to emails or instant messages." Furthermore, he said that changes made to Skype in 2012 "were not made to facilitate greater government access to audio, video, messaging or other customer data."

It's not Microsoft's fault that governments want this information. Furthermore, White House and intelligence officials insist (of course) that such data is being collected only in legal ways. But could, and should, Microsoft be taking steps that might raise the bar for intelligence agencies that want to collect intelligence on its users?

For example, the Communications Assistance for Law Enforcement Act (CALEA), while requiring some businesses to let the government wiretap their communications, also says that "a telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Then again, "a secret order from the FISA Court, which might be among the 'aspects of this debate' that Microsoft finds it's unable to discuss, could provide a new reason why Microsoft doesn't act to better protect Skype users against eavesdropping," said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation (EFF), in a blog post. "If the secret order required Microsoft to turn over Skype users' communications on an ongoing basis, Microsoft might fear that changing the Skype technology in a way that stopped it from complying would violate the order." In other words, the government's demands for data might make it difficult for Microsoft to alter its system, at least in a way that trades enhanced encryption for easy interception.

For example, while Skype offers "end to end" encryption, the EFF says Skype also serves as a certificate authority for users. As a result, anyone with access to Skype's keys could intercept any Skype communications. In other words, "Skype is in a position to give the government sufficient data to perform a man-in-the-middle attack against Skype users," Christopher Soghoian, a principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, argued last year.

"This security limitation has concerned us for a long time," said the EFF's Schoen. "One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service." Such a feature would let users verify that they're not being spied on, and other encryption systems already offer this feature, including PGP and HTTPS. But Skype -- since acquired by Microsoft -- has declined to add such a feature, despite related requests from privacy rights groups.

The continuing rise in cybercrime, of course, means that everyone's communications need better safeguarding against interception. Intelligence agents aren't the only people who can execute man-in-the-middle attacks against Skype or target Gmail accounts. In the wake of PRISM and every other obscurely named NSA surveillance program under the sun demanding freer access to Web data, is this government-ordered surveillance subverting the information security of widely used consumer services?

That's also a topic Microsoft is legally prevented from addressing. The White House, responding to a suit filed by the ACLU, claimed last week that the NSA's surveillance programs are fully legal. "The alleged metadata program is fully consistent with the Fourth Amendment" prohibition against unreasonable search or seizure, and thus doesn't violate the free speech protections of the First Amendment, assistant U.S. attorney David S. Jones wrote in a Thursday filing to U.S. District Judge William H. Pauley.

Even if Microsoft and the NSA could freely discuss the tradeoffs inherent in the current surveillance programs, there aren't easy answers. Federal judge James G. Carr, who served on the FISA Court from 2002 to 2008, has called on Congress to let the court appoint technologically sophisticated, pro-bono lawyers "with high-level security clearance" to argue against the government's filings and help judges balance surveillance requests with civil liberties concerns. In other words, let the judges tasked with overseeing FISA requests actually understand the full implications of those requests.

Better oversight might also address the open question of whether the NSA's voracious data-interception demands are weakening the information security protections being offered to consumers and businesses.

Gen. Keith Alexander, commander of U.S. Cyber Command, will be keynote speaker at Black Hat USA 2013, the benchmark for all security conferences. Join us for four intense days of training and two jam-packed days of briefings. Register for Black Hat today. In Las Vegas, July 27-Aug. 1.

Microsoft (and Google and Yahoo and Facebood and etc) are conveniently feigning powerlessness when it comes to these NSA programs. Setting aside 4th amendment issues, these companies' constitutional 1st amendment right to free speech is infringed upon by Section 215 of the Patriot Act. Without revealing the specific orders, they have legal standing to take this to the appropriate, open federal court to challenge the relevant sections of the law. They simply fail, due to incompetence or willful neglect, to defend their rights. Additionally, while section 215 does gag any of these companies from disclosing FISA court orders, it does not prevent them from disclosing information about their software. That is, the Patriot Act does not stopping them from hiring an independent firm to audit their software and provide a public report on the security. If they want. Either way, Microsoft et al are partially responsible for their fate in this matter.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.